[rbldnsd] The basics - help

[Amos Jeffries]

Michael Tokarev wrote:
> amos at treenetnz.com wrote:
> []
>>> Seeting up a forward of each CIDR ip pool based on country.
>>>
>>> zone "AE.blocked.rbl" IN {
>>> type forward;
>>> forward first;
>>> forwarders {
>>> 127.0.0.1 port 530;
>>> };
>>> };
> 
> First of all this "forward first" is WRONG.  It directs BIND to query
> the given nameserver (127.0.0.1:530 in this case) AND if that failed,
> process normally starting from regular root nameservers.  This way,
> if rbldnsd is, say, reloading and thus not answering promptly, you'll
> get NXDOMAIN for existing entries.
> 
> Please follow this simple rule: For all your internal domains, don't
> let queries out.
> 
> []
>> You may be able to reduce this bit of the configuration a lot by using:
>> zone "blocked.rbl" IN {
>>   type forward;
>>   forward first;
> 
> ditto
> 
>>   forwarders {
>>   127.0.0.1 port 530;
>>   };
>> };
>>
>> rbldnsd will return NXDOMAIN for _anything_ outside its specified and
>> correctly loaded zone content. This produces a possible answer to your
>> other question about UK.
> 
> This is wrong.  rbldnsd will return REFUSED for any base zone not specified
> on the command line.  Say, you loaded a.rbl and b.rbl, and query for c.rbl -
> rbldnsd will correctly return REFUSED because it doesn't know anything about
> it and can't perform recursive lookups.
> 
> But together with the above mistake ("forward first"), the whole thing WILL
> work - it's a rare case where two minuses gives a plus as a result.  But it's
> only visible plus - internally the query goes thru outside nameservers which
> it shouldn't.
> 
> /mjt
> 

Oops, I checked against the local config for RBL mirrors here. In that 
case I do want to redirect to an upstream if the local daemon has trouble.
Sorry.

AYJ